March 16, 2026 · Developer Guide

How AI Agents Can Send Documents for Signature

A technical guide to adding e-signing to autonomous agent workflows — with a single API call.

Founder, Signbee

TL;DR

AI agents can send documents for legally binding e-signature using a single API call.According to Gartner's 2025 Emerging Technology Roadmap, 30% of enterprise software interactions will be handled by AI agents by 2028. Yet most e-signature platforms (DocuSign, Adobe Sign) require OAuth flows, template builders, and multi-step envelope configuration — infrastructure designed for human operators, not autonomous agents. Signbee reduces this to one POST request: send markdown, get a SHA-256 certified PDF.

“The next wave of SaaS infrastructure won't have dashboards. It will have endpoints. Document signing is one of the first categories where this shift is already happening.”— Michael Beckett, Founder of Signbee

The Shift from Humans to Autonomous Agents

AI agents are getting remarkably good at automating business processes — prospecting, drafting proposals, scheduling meetings, following up via email. But there's one step where nearly every autonomous workflow breaks down: getting a document signed.

Traditional e-signature platforms like DocuSign were built for human-driven workflows. They require OAuth authentication, template configuration, envelope management, and webhook handling. For a human clicking through a dashboard, this is fine. For an AI agent executing a multi-step workflow autonomously, it introduces friction that defeats the purpose of automation.

See the full signing flow in action

What an Agent Actually Needs

When an AI agent needs to send a document for signature, the requirements are surprisingly simple:

Take the content the agent has already generated (a contract, NDA, proposal)
Turn it into a presentable document
Send it to the other party for review and signature
Confirm both parties have signed
Deliver the certified result

That's it. No template builder. No drag-and-drop signature fields. No multi-step envelope configuration. Just: here's the content, here's who needs to sign, make it happen.

The API Approach

Signbee was built to solve exactly this. The entire signing flow is a single HTTP request:

Send a document for signing

curl -X POST https://signb.ee/api/v1/send \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "markdown": "# Mutual NDA\n\nThis agreement is between...",
    "recipient_name": "Bob Smith",
    "recipient_email": "bob@acme.com"
  }'

The agent provides markdown (or a URL to an existing PDF), and Signbee handles everything else: PDF generation, email delivery, signature capture, and certificate creation.

How the Signing Flow Works

Under the hood, the flow is straightforward:

1The agent POSTs markdown and recipient details to the API

2Signbee converts the markdown to a formatted PDF using pdf-lib

3The recipient receives an email with a secure signing link

4The recipient reviews the document, chooses a signature style, and signs

5Signbee appends a signing certificate with timestamps, IP addresses, and a SHA-256 integrity hash

6Both parties receive the final signed PDF via email

The certificate page is particularly interesting: it's part of the document that gets hashed, so any modification — even to the certificate itself — invalidates the integrity check.

Integration with AI Tools

Beyond the REST API, Signbee provides an MCP server (Model Context Protocol) that works directly with AI coding tools like Claude Desktop, Cursor, and Windsurf. This means an agent can call Signbee's signing capabilities as a native tool — no HTTP client code needed.

MCP configuration

{
  "mcpServers": {
    "signbee": {
      "command": "npx",
      "args": ["-y", "signbee-mcp"],
      "env": { "SIGNBEE_API_KEY": "YOUR_API_KEY" }
    }
  }
}

Deep-Dive: Legal Validity of Agent-Initiated Signing

A common question when implementing autonomous workflows is whether electronic signatures initiated or executed by artificial intelligence systems hold legal weight. Under the legal frameworks of the world's largest economies, the answer is a resounding yes, provided they adhere to core standards of intent, attribution, and document integrity.

Let's break down the three primary legal pillars that govern electronic signature validity across the US, the European Union, and the United Kingdom:

1. The ESIGN Act & UETA (United States)

In the United States, electronic signatures are validated by the federal **Electronic Signatures in Global and National Commerce (ESIGN) Act** (15 U.S.C. § 7001 et seq.) passed in 2000, alongside the state-level **Uniform Electronic Transactions Act (UETA)**.

Crucially, both ESIGN and UETA explicitly define and validate the actions of **"electronic agents."** Under the law, an electronic agent is defined as a computer program or other automated means used independently to initiate an action or respond to electronic records or performances. Section 101(h) of the ESIGN Act states that a contract or other record relating to a transaction may not be denied legal effect, validity, or enforceability solely because its formation or execution involved the interaction of electronic agents, or the interaction of an electronic agent and an individual.

This means when an AI agent initiates, compiles, or sends a contract for signing, the transaction is legally valid. The human or corporation operating the AI agent acts as the legal "principal," and the agent acts as their electronic tool.

2. The eIDAS Regulation (European Union)

Within the European Union, the legal framework is established by **Regulation (EU) No 910/2014**, commonly known as the **eIDAS Regulation** (Electronic Identification, Authentication and Trust Services).

Under eIDAS Article 25, an electronic signature cannot be denied legal admissibility in judicial proceedings solely because it is in electronic form or does not meet the requirements for a Qualified Electronic Signature. Signbee operates as an **Advanced Electronic Signature (AES)** system by ensuring:

It is uniquely linked to the signer.
It is capable of identifying the signer.
It is created using electronic signature creation data that the signer can use under their sole control.
It is linked to the data signed in such a way that any subsequent change of the data is detectable.

3. The Electronic Communications Act 2000 (United Kingdom)

In the UK, electronic signatures are governed by the **Electronic Communications Act 2000 (ECA 2000)** and the **Electronic Signatures Regulations 2002**.

Section 7 of the ECA 2000 validates that an electronic signature incorporated into or logically associated with an electronic communication is fully admissible in court. The Law Commission of England and Wales confirmed that automated contract formation—including agreements triggered or facilitated by computer systems and algorithms—is recognized under common law principles of contract and agency.

Cryptographic Trust Validation & SHA-256 PDF Hashing

To satisfy the legal requirement of **document integrity** (proving that the contract has not been altered since it was signed), e-signature platforms must employ cryptographic validation.

When a contract is executed on Signbee, the document content, the signer's handwritten/typed signature image, the verified email address, the signing timestamp, and the network IP address are compiled into a final PDF. Once generated, this PDF undergoes a secure cryptographic process:

How PDF Hashing and Cryptographic Verification Works:

Hashing: The signing server calculates a **SHA-256 cryptographic hash** of the entire PDF byte array. This hash acts as an immutable 32-byte (256-bit) digital fingerprint.
Signing: The calculated hash is encrypted using Signbee's secure private key. This creates a cryptographic digital signature.
Embedding: The signature is written into the PDF's digital signature dictionary using the standard `/ByteRange` field. The `/ByteRange` defines the exact byte offsets to exclude only the signature value itself during verification.
Viewer Verification: When the signed document is opened in standard PDF viewers (such as Adobe Acrobat Reader), the software automatically hashes the PDF bytes (excluding the signature space) and compares it with the decrypted signature. If they match, the viewer shows a green checkmark indicating the document has not been tampered with.

If a malicious actor attempts to change a single letter, price, or date in the contract, the calculated SHA-256 hash will mismatch the signature hash, and the PDF reader will immediately flag the document as invalid and tampered.

Programmatic Verification: Code Examples

In automated agentic workflows, you shouldn't just rely on visual PDF viewers. Your system should programmatically verify the integrity of the audit trail hash. Below are two production-ready scripts showing how to extract and verify the audit trail hash.

Node.js — Cryptographic Verification using the built-in 'crypto' module

const crypto = require('crypto');

// The public key from Signbee used to verify the signature
const SIGNBEE_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1+zS...
-----END PUBLIC KEY-----`;

/**
 * Verifies the integrity and authenticity of a Signbee audit log.
 * @param {string} auditLogJson - The raw JSON string of the audit log
 * @param {string} base64Signature - The signature of the audit log in Base64
 * @returns {boolean} True if the signature is valid, false otherwise
 */
function verifyAuditTrail(auditLogJson, base64Signature) {
  try {
    // 1. Calculate SHA-256 hash of the JSON content for logging/auditing
    const hash = crypto.createHash('sha256');
    hash.update(auditLogJson);
    const calculatedHash = hash.digest('hex');
    console.log(`Calculated SHA-256 Hash: ${calculatedHash}`);

    // 2. Create the verifier with the public key
    const verifier = crypto.createVerify('SHA256');
    verifier.update(auditLogJson);
    
    // 3. Verify the signature against the raw data
    const isValid = verifier.verify(
      SIGNBEE_PUBLIC_KEY, 
      base64Signature, 
      'base64'
    );
    return isValid;
  } catch (error) {
    console.error("Verification system error:", error.message);
    return false;
  }
}

// Example payload returned by Signbee webhook
const sampleAuditLog = JSON.stringify({
  document_id: "doc_8f7b2c9d4e",
  created_at: "2026-05-29T10:00:00Z",
  signers: [
    { email: "alice@acme.com", ip: "192.168.1.50", signed_at: "2026-05-29T10:04:12Z" },
    { email: "bob@company.com", ip: "203.0.113.12", signed_at: "2026-05-29T10:05:30Z" }
  ],
  version: "1.0"
});

// A mock base64 signature corresponding to the signed hash
const sampleSignature = "Base64SignatureFromSignbeeAPI=";

const isVerified = verifyAuditTrail(sampleAuditLog, sampleSignature);
console.log(`Audit Trail Verified: ${isVerified}`);

The Python example below performs the equivalent verification using the standard library `hashlib` and the robust `cryptography` package.

Python — Cryptographic Verification using 'hashlib' and 'cryptography'

import hashlib
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_public_key
import base64

# The public key from Signbee used to verify the signature
SIGNBEE_PUBLIC_KEY_PEM = b"""-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1+zS...
-----END PUBLIC KEY-----"""

def verify_audit_trail(audit_log_json: str, base64_signature: str) -> bool:
    try:
        # 1. Convert JSON string to bytes
        data_bytes = audit_log_json.encode('utf-8')
        
        # 2. Compute SHA-256 hash for local audit logs
        sha256_hash = hashlib.sha256(data_bytes).hexdigest()
        print(f"Calculated SHA-256 Hash: {sha256_hash}")
        
        # 3. Decode base64 signature
        signature_bytes = base64.b64decode(base64_signature)
        
        # 4. Load the public key
        public_key = load_pem_public_key(SIGNBEE_PUBLIC_KEY_PEM)
        
        # 5. Verify the signature
        public_key.verify(
            signature_bytes,
            data_bytes,
            padding.PKCS1v15(),
            hashes.SHA256()
        )
        return True
    except Exception as e:
        print(f"Verification error: {e}")
        return False

# Example usage
sample_audit_log = '{"document_id":"doc_8f7b2c9d4e","created_at":"2026-05-29T10:00:00Z","signers":[{"email":"alice@acme.com","ip":"192.168.1.50","signed_at":"2026-05-29T10:04:12Z"},{"email":"bob@company.com","ip":"203.0.113.12","signed_at":"2026-05-29T10:05:30Z"}],"version":"1.0"}'
sample_signature = "Base64SignatureFromSignbeeAPI="

is_verified = verify_audit_trail(sample_audit_log, sample_signature)
print(f"Audit Trail Verified: {is_verified}")

The Hybrid Lifecycle: From Anonymous Sandbox to Human Onboarding

When building autonomous agents, developers face a classic cold-start problem: how to allow agents to discover, test, and integrate tools dynamically without hitting immediate payment walls or requiring manual human registration.

Signbee solves this by offering a frictionless **anonymous sandbox onboarding** workflow:

Anonymous Generation: An AI agent can discover the Signbee API, construct a valid payload, and call the `/api/v1/send` endpoint without an API key or account creation. The agent receives a temporary sandbox document ID.
Frictionless Execution: The document is generated, emailed to the recipient, and electronically signed. The transaction completes entirely programmatically.
The Verification Gate: While the contract is signed, accessing the secure, cryptographic audit log requires a verified owner. The initial API response contains a unique `claim_url` representing the pending document state.
Human Account Claim: The human developer or business owner clicks the `claim_url`. They register an account, verify their organization's domain name, and configure billing registration via Stripe.
Transition to Production: Upon registration, all previous anonymous documents are claimed and associated with the organization. The API limits are upgraded from the sandbox limit (5 free documents per month) to full-volume production limits (1,000 requests per minute).

This hybrid approach allows developers to build and test autonomous agents in pure sandboxes, while providing a clear transition path to secure, production-grade billing and domain verification.

Frequently Asked Questions

Can AI agents legally sign contracts on behalf of a business under the ESIGN Act, eIDAS, and UK law?

Yes, AI agents can legally initiate and facilitate the signing of contracts under major global frameworks like the United States ESIGN Act, the European Union's eIDAS Regulation, and the United Kingdom's Electronic Communications Act 2000. Under these laws, the core requirement is that there must be intent to sign, attribution to the signing party, and a secure record of the transaction. When an AI agent initiates a document via an API like Signbee, the human principal remains the legally bound entity. The agent acts as an electronic medium or automated transaction tool. To ensure full compliance, the platform verifies the final human signers' identity through email-based One-Time Passwords (OTP) and links the action to a tamper-evident audit trail. This establishes an unbroken chain of attribution and consent, fulfilling the strict legal definitions of electronic execution across international jurisdictions.

How does cryptographic trust validation and SHA-256 hashing protect signed PDFs from tampering?

Cryptographic validation is the foundation of modern digital signatures. When a contract is finalized, Signbee generates a SHA-256 cryptographic hash of the entire PDF file structure, including the document body, visual signatures, and the embedded certificate of completion. This SHA-256 hash is then signed using Signbee's private key to create a digital signature that is embedded directly into the PDF. Because SHA-256 is a one-way cryptographic hash function, any alteration to the PDF—even a single character change or a tiny pixel modification—will result in a completely different hash value when re-calculated. PDF readers like Adobe Acrobat compare the calculated hash against the signed hash in the certificate. If they do not match, the reader marks the signature as invalid and warns the user, making the agreement fully tamper-evident and legally resilient.

How does the workflow transition from anonymous contract creation to human claim and billing registration?

The lifecycle of an agent-driven contract often begins in an unauthenticated or anonymous sandbox state to minimize API friction during autonomous discovery. When an AI agent generates and sends a contract, the document is registered with a temporary, unique document ID. As soon as a human recipient signs the agreement, the document moves into a pending status. To finalize the agreement and secure access to the verified audit logs, the creator or the business principal must claim the document by registering an account and verifying their domain or email address. During this claim phase, the client profile is linked to the subscription, billing registration is processed via Stripe, and the account transitions from anonymous usage limits (e.g., 5 free documents per month) to full-volume production API rate limits (1,000 requests per minute). This ensures security, prevents spam, and seamlessly moves the workflow from autonomous creation to human-managed billing.

Never drop a document — 5 free docs/month, 100 req/min.

Read the API docs Batch sending guide

Last updated: May 29, 2026 · Michael Beckett is the founder of Signbee and B2bee Ltd.